Description

Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet. We are actively investigating this activity.

We strongly recommend customers ensure access to your management interface is configured correctly in accordance with our recommended best practice deployment guidelines. In particular, we recommend that you immediately ensure that access to the management interface is possible only from trusted internal IPs and not from the Internet. The vast majority of firewalls already follow this Palo Alto Networks and industry best practice.

Solution

At this time securing access to the management interface is the best recommended action.

As Palo Alto investigate the threat activity, we are preparing to release fixes and threat prevention signatures as early as possible.

Palo Alto will continue to update this advisory as more information is available.

Please subscribe to the RSS feed, https://security.paloaltonetworks.com/rss.xml, or email notices at https://support.paloaltonetworks.com/SupportAccount/Preferences for notifications.

Please refer the following step by step configuration guide for ensuring the management interface best practices:

How to Secure the Management Access of Your Palo Alto Networks Device

It is very important to secure the management interface and management network to prevent exploitation. So even when an attacker or disgruntled (ex-)employee knows the login credentials of your devices, you can still prevent them from getting in.

Best practice is to use the out-of-band (mgt) port for the firewall administrative tasks. We understand that there are some scenarios where, instead of using the mgmt-port, one would configure one of the data ports for mgmt access to the firewall. Whatever your setup is, it is key to make it a hard target for the attackers and protect the firewall/Panorama and NEVER enable access to your mgmt interface from the internet or from other untrusted zones. This applies whether you use the dedicated management port (MGT) or you configure a data port as your management interface.

Below are some guidelines to reduce exposure to your management interface (Device > Setup > Interfaces > Management):

  • Isolate the management interface on a dedicated management VLAN.
  • Use jump servers to access the mgt IP. Users authenticate and connect to the jump server before logging in to the firewall/Panorama.
  • Limit inbound IP addresses to your mgt interface to approved management devices. This will reduce the attack surface by preventing access from unexpected IP addresses and prevents access using stolen credentials. (1)
  • Only permit secured communication such as SSH, HTTPS. (2)
  • Only allow PING for testing connectivity to the interface. (3)

Device > Setup > Interfaces > Management

If you're using a data port for the management of your device then you will work with a Management Profile to restrict access to the interface

Network > Network Profiles > Interface Mgmt

Aside from limiting access to the management interface, there are also guidelines for the administrator accounts:

• It is recommended to remove the default 'admin' account from your device. Note: You can only delete the default admin account using a new superuser account.

Default admin account was deleted by supreme leader

  • Do NOT share administrative accounts. Instead, create a separate account for each administrator. This allows you to better protect the firewall from unauthorized configuration. It also enables you to monitor every action of each individual administrator.
  • Assign admin roles to your different administrators and allow only those actions that are needed (some administrators might be allowed to change security policies, while others are only allowed to check log files, for example). The firewall has some predefined admin roles available, but you can easily configure your custom admin role profile (Device > Admin Roles).

Use one of the predefined profiles or create your own custom profile

Configure a strict password policy, including requiring frequent password changes (Device > Setup > Management > Minimum Password Complexity).

Strong password policies protect you from various password hacking techniques.

Device > Setup > Management > Minimum Password Complexity